02_01_slide_nature
Ransomware Attacks – 5 min read

What are examples of spear phishing attacks used in Canada?

Spear phishing is an email attack that is designed to look and read as though it has been sent from a trusted source or from someone in a position of power. The email encourages the recipient to open an attachment or click on a link. The act of opening an attachment or clicking on a link then transmits malware to the user's computer.

Spear phishing attacks often target a specific organization or individual in an attempt to gain unauthorized access to sensitive information.  Spear phishing emails are highly targeted and designed to advance a criminal’s agenda, whether for financial gain or access to trade secrets. The email might even appear to be coming from your boss and be crafted in a tone that resembles your boss. For example, a CFO may receive an email purporting to be from the CEO asking that they transfer money to a certain account.

Canadian organizations have proven to be at risk due to the ubiquitous use of technology.  The speed at which businesses have become technologically reliant has exposed weaknesses to foundational IT operations. In addition, many businesses transition to an online platform without proper knowledge of or preparation for the threats that await them.

IBM has reported on cybercriminals, likely operating out of Ukraine, that have been targeting Canadian businesses with customized phishing attacks. The attacks were designed to trick those with account access to divulge their company’s online banking credentials, one-time passwords and two-factor authentication codes. The goal of this targeted phishing attack was to take the account over and transfer money to mule accounts that were controlled by the criminals. Like other attacks the first step was a sophisticated spear phishing email sent to very specific senior employees with content that appeared legitimate, including bank logos.

 

City of Ottawa Spear-Phishing Attack

An example of a spear-phishing attack in Canada involved an executive at the City of Ottawa. Marion Simulik, City Treasurer, was targeted and tricked into sending more than $100,000 to a fraudster in the United States. She did so in response to what she thought was a legitimate request from the city manager to pay a supplier. Simulik reached out to the supplier to verify the details, and over the course of a few hours they emailed back and forth. Simulik then sent what she thought was the fulfillment of a legitimate payment request. Revelling in their success, the cyber bad guy reached out to Simulik a second time a few days later, pretending once again to be the city manager and requested that she pay an additional $150,000 to the same supplier. Thankfully, the second request came at a time when Simulik was with the city manager and she asked him about the payment. Once they realized that the email was a phishing attack, the Ottawa police were contacted. In a fortunate turn of events, the fraudsters transferred the original payment from one US account to a second US account which was being watched by the US secret service. Within a month, the US authorities reached out to the City of Ottawa to inform them that they were victims of cybercrime (which they already knew). Given that the second account was being monitored, there is a good chance that the City of Ottawa will get some of their money back. Simulik, a well-respected senior public servant, was shaken by the incident. She gave a statement to city council in which she stated: "That I should be the target and victim of this sophisticated attack has affected me deeply both professionally and personally." 

Read more

 

Social Engineering

 

The key to a successful spear phishing attack is personalization. The personalization is also known as social engineering. As previously mentioned, in most spear phishing attacks, the apparent source of the email is often someone in a position of authority within the recipient's own organization—or someone that the target knows of personally. The ultimate success of a spear phishing attack requires the following factors:

  1. The apparent source is a known and trusted individual
  2. Information within the message supports its validity
  3. The request makes sense


Prior to sending the email, the attacker gathers information about the target in order to personalize the spear-phishing attack. This personalization makes malicious emails seem more trustworthy. The attackers may spend months gathering information about the intended target before actually sending the email.

 

Social engineering is most common in emails, but similar attacks can also be done over the phone or in person. In each case, the criminal will present themselves with confidence and authority, and will be very well prepared and knowledgeable of you and your company.

 

Personalization makes malicious emails seem more trustworthy.

 

How Spear Phishing Works

 

Criminals can gather information about a target from their social media accounts, primarily LinkedIn or other business networking platforms, to build a comprehensive understanding of a company’s staff and its immediate networks.

They usually target someone in the company at an administrative level, and pose as an authority figure that they don’t have much day-to-day interaction with. By posing as legitimate figure and coupled with a tone of urgency, these emails prompt the target to act fast without giving the matter a sober second thought.

 

Security Awareness Training

 

In the absence of a cyber security awareness protocol, it's possible for spear phishing to happen a number of times through the same person. Once the criminal has established communication and has succeeded in their first attack, they are in a good position to continue to target the same person because now they have that employee’s trust.

Security awareness training reduces the likelihood of a user falling for spear-phishing tactics. This training should educate staff on how to spot suspicious email domains or links, as well as being aware of tell-tale wording in the messages and the information that may be requested in the email.

It is also important for businesses to educate their employees about social media activity vulnerabilities. What are they posting on their social media accounts? Are they unknowingly revealing sensitive information on public platforms that can be used by criminals to exploit their trust?

Employees at every level should be trained to recognize suspicious emails or phone calls. That email from the CFO requesting a money transfer to another account? Maybe you should confirm directly with the CFO before you take any steps. Spear fishing in Canada is a growing concern but with cyber security education you can minimize your risk exposure.

 

The best defence against spear phishing attacks is ongoing education through security awareness training. To book a cybersecurity session for your team, get in touch with CITI.


Guide to Ransomware Attacks in Canada
Guide to Email Security from our Practice Safe Cyber Series Download Your Poster
Global Toronto and CreateTO City of Toronto Agencies Case Study
Learn about your IT security. Register for a free cybersecurity consultation.  Book Now
Guide to Ransomware Attacks in Canada
Considering moving to the cloud? Find out if the cloud is right for your company.Book Now
New IT Infrastructure Transforms Organization. KCI Ketchum Canada
Engage our services and get 10 hours free. It's easy to work with CITI. Become a client.Book Appointment

IT Insights from our Blog

Read more

We're here to help!

Moving to the Cloud
Cybersecurity

Is your management team asking about your IT security policies and practices? Are you worried about a cybersecurity breach? CITI’s comprehensive IT security services provide all the information your company needs to deal with current and future security situations and concerns. Learn about your IT security. Register for a free cybersecurity session.

Managed Services

There is another way to manage your IT that doesn’t require you call your IT firm. Managed IT services offer proactive care, support, monitoring and maintenance of your computer systems for a fixed monthly fee. Process-driven, less involvement, more predictable cost. Yes, Virginia, there is a way to keep your IT running smoothly that does not require you to make a call.

Pay-As-You-Go

Are you concerned about minimizing IT maintenance costs? Perhaps you’re techno savvy. Or maybe you only need an IT firm for complex IT situations. CITI can provide exactly the volume of IT services that you want and need from network troubleshooting to helping a user with a jammed printer. Our full range of services are available on a per incident basis.

Disaster Recovery

Is the stuff of your nightmares power outages? The only way to deal with a severe interruption to business operations is to plan for it. Beginning with a disaster recovery plan through implementing and maintaining failsafe, foolproof, rock-solid offsite backups, CITI has helped 100s of companies protect their most valuable asset—their data and systems.

IT Consulting

Uncertain if your company should move to the cloud? Do you have doubts about the best way to back up your data? Looking for ways to minimize your vulnerability to IT security breaches? Perhaps you’re looking for help with your annual IT budget. CITI’s IT advisory services help businesses make informed strategic and tactical decisions on information technology.

Call Us

416-603-2442